[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] just a question . . .

Subject: [cobalt-security] just a question . . .
From: "Fragga" <fragga@xxxxxxxxxxxx>
Date: Mon, 11 Feb 2002 10:11:46 -0600
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

hello all. . .

firstly, thanks for all your responses regarding the apache admin server
runnig as root issue.
guess i`ll just have to live with it regarding that.

secondly i wonder if u can answer a question regarding http connections,
i normally cron a job to run each hour which mails me a few logs and the
output
of an netstat -at | grep www . sometimes however i seem to get web
conections
where apache has opened multiple ports for. I know that it juggles it onto a
different
port when it receives a connection but i get multiples similar to the output
of

<snip>
...........
tcp        0      0 hostname.net:www       194.200.***.***:47144   TIME_WAIT
tcp        0      0 hostname.net:www       194.200.***.***:46442   TIME_WAIT
tcp        0      0 hostname.net:www       194.200.***.***:46427   TIME_WAIT
tcp        0      0 hostname.net:www       194.200.***.***:46424   TIME_WAIT
tcp        0      0 hostname.net:www       194.200.***.***:46423   TIME_WAIT
tcp        0      0 hostname.net:www       194.200.***.***:46407   TIME_WAIT
tcp        0      0 hostname.net:www       194.200.***.***:46402   TIME_WAIT
tcp        0      0 hostname.net:www       194.200.***.***:46398   TIME_WAIT
tcp        0      0 hostname.net:www       194.200.***.***:46320   TIME_WAIT
tcp        0      0 hostname.net:www       194.200.***.***:46319   TIME_WAIT
tcp        0      0 hostname.net:www       194.200.***.***:46318   TIME_WAIT
tcp        0      0 hostname.net:www       194.200.***.***:46291   TIME_WAIT
tcp        0      0 hostname.net:www       194.200.***.***:46269   TIME_WAIT
............ and goes on and on . . . .

</snip> ( shortened for the sake of boredom )

seems strange that sometimes it has so many connections open. . .
can anyone shed any light on this ? i though that maybe this would
be the start of a SYN flood trying to determine sequence numbers etc
or possibly some sort of nmap scan however its puzzling as its only
connected to HTTP. Apologies if this is standard TCP / IP Practice i
was just wondering.

any ideas ?

cheers

fragga

Follow-Ups:
- Re: [cobalt-security] just a question . . .
  - From: Michael Stauber

Prev by Date: RE: [cobalt-security] rename bogus
Next by Date: SV: [cobalt-security] rename bogus
Previous by thread: SV: [cobalt-security] rename bogus
Next by thread: Re: [cobalt-security] just a question . . .

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index